Frequently Asked Questions

Choose the client matching your operating system:

• Windows: Primary recommendation — Clash Verge Rev (modern UI, full TUN mode, built-in rule editor). Users who prefer theme customization and multi-core switching can choose Clash Nyanpasu.
• macOS: Primary recommendation — Clash Verge Rev (supports both Intel and Apple Silicon natively). For a lightweight native menu-bar experience, choose ClashX Meta.
• Android: Primary recommendation — ClashMeta for Android (full TUN global proxy, subscription management). For a unified cross-platform experience, choose FlClash (Material You design).
• iOS: Primary recommendation — Stash (best Clash config compatibility, supports rule sets and scripts). Alternatives: Shadowrocket or Spectre Proxy — all require a non-China Apple ID to download.
• Linux: Primary recommendation — Clash Verge Rev (GUI, supports .deb / .rpm / AUR). For servers or routers, use Mihomo Core (CLI).

Visit the Download Page for the latest versions and architecture selection guide.

General steps for importing a subscription in most Clash clients:

1. Copy your subscription URL (usually provided by your service provider).
2. Open the 'Config', 'Subscription', or 'Profiles' tab in the client.
3. Select 'Import from URL' or 'Add Subscription', paste the link, and confirm.
4. Wait for the client to download and parse the config. Once finished, select the profile to activate it.

💡 We recommend enabling 'Auto Update' (e.g., every 24 hours) to automatically fetch the latest node list.

Yes, this is normal. Clash's TUN Mode (transparent proxy) needs to intercept network traffic at the system level, requiring the following permissions:

• Windows: Admin permissions to install the virtual network card driver (WinTUN).
• macOS: Permissions for system extensions or VPN configurations.
• Android / iOS: Permission to create a local VPN connection. Traffic stays on your device and doesn't leave via third-party servers.

If you only need to proxy specific apps like browsers, you can use System Proxy Mode, which doesn't require VPN permissions.

You can verify connectivity in several ways:

• Visit ip.sb or ipinfo.io in your browser. If the displayed IP address has changed, the proxy is active.
• Check the 'Connections' panel in the client to see if there is real-time traffic data.
• Use the built-in 'Latency Test' (Ping) to check node connectivity.

💡 If the IP hasn't changed, ensure you've selected the correct profile and that the proxy mode is enabled (not 'Direct').

YAML is extremely sensitive to indentation. Common errors include:

• Using Tabs for indentation (YAML only allows spaces).
• Missing a space after a colon (e.g., key:value should be key: value).
• Strings containing special characters without quotes.
• Missing a space after the list marker -.

You can paste your config into an online YAML validator (like yaml.online-parser.appspot.com) or use the client's built-in config checker.

The following is a minimal functional config example with basic proxies and rules:

mixed-port: 7890
allow-lan: false
mode: rule
log-level: info
external-controller: 127.0.0.1:9090

dns:
  enable: true
  enhanced-mode: fake-ip
  nameserver:
    - 119.29.29.29
    - 8.8.8.8

proxies:
  - name: "MyNode"
    type: vmess
    server: example.com
    port: 443
    uuid: your-uuid-here
    alterId: 0
    cipher: auto
    tls: true

proxy-groups:
  - name: Proxy
    type: select
    proxies:
      - MyNode
      - DIRECT

rules:
  - GEOIP,CN,DIRECT
  - MATCH,Proxy

Save the above as config.yaml, replace the node info, and import it into your client.

Slow speeds are usually caused by the following factors:

• High Node Load: Use the latency test to switch to a lower-latency, faster-responding node.
• Proxy Mode: In 'Global' mode, all traffic goes through the proxy. For local sites, use 'Rule' mode for smart routing.
• Slow DNS: Check your DNS settings. We recommend 8.8.8.8 or 1.1.1.1 as remote DNS.
• TUN Mode Overhead: TUN mode processes all system traffic, which may increase CPU usage on older devices.

Common causes and solutions for frequent disconnections:

• Unstable Node: Enable an automatic 'fallback' strategy group; Clash will switch to a backup node if the primary one fails.
• Keep-alive Settings: Enable keep-alive-interval in your config to maintain an active connection.
• System Sleep: Network connections drop during sleep. Manually reconnect or restart the client after waking up.
• Firewall/Security Software: Ensure your firewall isn't blocking the client process. Add it to the whitelist.

Some apps don't follow system proxy settings. You need TUN mode for global traffic interception:

• Enable TUN Mode in the client (requires Admin/Root permissions) to intercept all TCP/UDP traffic at the system level.
• For games, you can configure specific routing rules for game server IP ranges.
• On Android, enable 'Bypass LAN' to avoid affecting local communications.

Clash offers several node selection strategies:

• Manual Selection: In the 'Proxies' panel, run a latency test on all nodes and manually pick the fastest one.
• Automatic Selection (url-test): Configure a url-test group; Clash will periodically test speeds and auto-select the fastest node.
• Load Balancing (load-balance): Rotates through multiple nodes, ideal for tasks requiring many simultaneous connections (e.g., downloads).
• Failover (fallback): Automatically switches to a backup node if the primary one is unavailable, ensuring stability.

Clash supports LAN proxy sharing for mobile phones, tablets, etc.:

1. Set allow-lan: true in the config, and set bind-address to "*" or your local IP.
2. Note your computer's local IP (e.g., 192.168.1.100) and HTTP proxy port (default 7890).
3. On other devices, go to Wi-Fi settings and point the HTTP proxy to that IP and port.

💡 On mobile, configure this via Settings → Wi-Fi → Proxy → Manual. Works on both Android and iOS without Root or Jailbreak.

This happens when LAN IPs are routed to the proxy. Solutions:

• Ensure the following rules are at the top of your rule list:

  - IP-CIDR,192.168.0.0/16,DIRECT
  - IP-CIDR,10.0.0.0/8,DIRECT
  - IP-CIDR,172.16.0.0/12,DIRECT

• Enable the 'Bypass LAN' option in the client settings (supported by most clients).

• Global Mode: All traffic is forced through the proxy, including local sites. Good for debugging, not recommended for daily use.
• Rule Mode: Decides whether traffic goes via Proxy, Direct, or Reject based on your config rules. Recommended for daily use for smart routing.
• Direct Mode: All traffic is direct, bypassing the proxy. Equivalent to disabling the proxy.

Add rules to the rules section of your config and specify the DIRECT strategy:

rules:
  - DOMAIN-SUFFIX,baidu.com,DIRECT
  - DOMAIN-SUFFIX,qq.com,DIRECT
  - DOMAIN-KEYWORD,taobao,DIRECT
  - IP-CIDR,114.114.114.0/24,DIRECT
  - MATCH,Proxy  # Default to proxy

Rules are matched from top to bottom; the first match wins. For complex needs, use 'Rule Providers'.

Rule Providers are externally maintained rule lists (YAML or text) updated by the community. Usage:

rule-providers:
  gfw:
    type: http
    behavior: domain
    url: "https://example.com/gfw.yaml"
    interval: 86400
    path: ./ruleset/gfw.yaml

rules:
  - RULE-SET,gfw,Proxy
  - MATCH,DIRECT

We recommend community-maintained sets like Loyalsoldier/clash-rules (GitHub) for direct routing, ad filtering, and malicious site blocking.

Clash built-in DNS module recommended configuration:

dns:
  enable: true
  ipv6: false
  default-nameserver:
    - 119.29.29.29
  nameserver:
    - https://8.8.8.8/dns-query
    - https://1.1.1.1/dns-query
  enhanced-mode: fake-ip

DNS Leak occurs when proxy traffic passes through the proxy, but DNS queries bypass it and go to local DNS servers, potentially exposing your location. Using fake-ip mode effectively prevents DNS leaks.

Clash can filter ads by setting the REJECT strategy for ad domains using rule sets. No extra plugins needed:

rule-providers:
  reject:
    type: http
    behavior: domain
    url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/reject.txt"
    interval: 86400
    path: ./ruleset/reject.yaml

rules:
  - RULE-SET,reject,REJECT
  - MATCH,DIRECT

We recommend reject.txt from Loyalsoldier/clash-rules for blocking ads, trackers, and malicious domains.

Mihomo supports dynamic routing via JavaScript scripts (script mode), ideal for complex scenarios rules can't express:

mode: script

script:
  code: |
    def main(ctx, metadata):
        if metadata["host"].endswith(".cn"):
            return "DIRECT"
        if metadata["dst_port"] == "22":
            return "DIRECT"
        return "Proxy"

Scripts can access metadata (host, src_ip, dst_port, etc.) and ctx (DNS queries, rule matching APIs). Script mode is mutually exclusive with Rule mode and recommended for power users.

Most users should use fake-ip mode. You can exclude incompatible domains (like NTP or LAN domains) in fake-ip-filter.

The Clash core (Mihomo) is 100% open source. It does not collect or upload any user data. Routing and encryption happen locally on your device.

Note the following:

• Your traffic ultimately passes through your node provider, who can technically log metadata (target, time, traffic volume).
• We recommend using encrypted protocols (VLESS + XTLS, Trojan, etc.) for end-to-end encryption.
• Local logs (e.g., connection logs) are stored on your device; you can adjust log levels or disable them in settings.

Your config contains connection credentials. Protect it as follows:

• Never upload configs with node info to public Git repos or share them with others.
• Set appropriate file permissions (e.g., chmod 600 config.yaml on Unix).
• If exposing the external-controller API to the internet, set a strong secret password.
• Change credentials periodically, especially if your device is lost or the config is leaked.

Ensure safety through these methods:

• Official Channels Only: Download from this site's download page or the official GitHub repos.
• Verify File Hashes: Compare the SHA256 checksum on the official Release page with your downloaded file.
• Check Code Signatures: macOS and Windows versions are usually signed by developers and verified by the OS.
• Audit Source Code: All core components are open source on GitHub for your review.

WebRTC is a browser technology that can bypass proxies and expose your real IP. Prevention methods:

• Enable TUN Mode: Intercepts all traffic at the system level, including WebRTC. This is the most thorough solution.
• Browser Extensions: Install uBlock Origin and enable 'Prevent WebRTC from leaking local IP addresses', or use 'WebRTC Network Limiter'.
• Browser Settings: In Firefox, set media.peerconnection.enabled to false in about:config to disable WebRTC entirely.
• Verification: Test for leaks at browserleaks.com/webrtc.

The external-controller (RESTful API) listens to 127.0.0.1:9090 by default and is only accessible locally. If you need remote management:

• Set a strong password: secret: "your-strong-password". Without it, anyone can control your Clash instance.
• Access via SSH tunnel or VPN instead of exposing the API port directly to the internet.
• If binding to 0.0.0.0, use firewall rules to restrict access to trusted IPs.
• The API has full control over your Clash instance (changing configs, switching nodes). Safety is equivalent to SSH access.

Both use the Mihomo core; proxy features are identical. Clash Verge Rev is the primary recommendation for macOS; users who prefer a persistent menu-bar icon can choose ClashX Meta.

💡 Clash Nyanpasu, also built on Tauri, supports multi-core switching and theme customization — a great alternative for Windows / macOS / Linux users who want a personalized experience.

Due to Apple App Store policies, apps named 'Clash' have been removed from the China App Store. iOS users can choose from the following Clash-compatible clients:

• Stash (Primary): Paid app purpose-built for Clash configs. Full support for rule sets, scripts, and MitM decryption. Works on both iPhone and iPad.
• Shadowrocket: Paid app compatible with multiple proxy protocols and Clash subscription formats. Large user base, highly stable.
• Spectre Proxy: Free / in-app purchase. Focused on Clash config format, clean UI, beginner-friendly, available in more App Store regions.

💡 Stash and Shadowrocket require a US or HK Apple ID to purchase and download. Spectre Proxy is available in more regions. Switch accounts via the App Store profile icon — no need to change your primary Apple ID.

Mihomo is the core engine (written in Go) for Clash Meta. All GUI clients use Mihomo as their foundation:

• Mihomo Core: Pure CLI, runs based on YAML configs and provides a RESTful API. Ideal for servers, routers, or power users.
• GUI Clients: Graphical wrappers around the Mihomo core. They communicate with the core via API to provide visual configuration, node management, and latency tests.

Ordinary users should use GUI clients; server or embedded users can use the Mihomo core directly.

Updating the client usually doesn't affect your config files, as they are stored in a separate user data directory. However, we recommend:

• Regularly backing up your config to cloud storage or a safe location.
• Managing nodes via subscription URLs for quick recovery.
• Checking Release Notes for any Breaking Changes before updating.

Steps for manual subscription update in most clients:

• Clash Verge Rev / Clash Nyanpasu (Windows / macOS / Linux): On the 'Config' page, click the 'Update' (refresh) icon on the profile card.
• ClashX Meta (macOS): Click the menu bar icon → Config → select profile → Update Configuration File.
• ClashMeta for Android / FlClash (Android): In 'Profiles', long-press or click the refresh button.

Updating a subscription re-fetches the latest YAML config from the URL, refreshing your node list.

You can configure auto-update intervals for each subscription in the client settings:

• Recommended Interval: 12–24 hours ensures your node list stays fresh without excessive requests.
• Intervals too short (e.g., 1 hour) may get your subscription banned by the provider.
• Intervals too long (over 7 days) may result in using expired nodes.

Common reasons and solutions for subscription update failures:

• Current node can't reach the subscription server: Switch to 'Direct' mode or use a different node to update.
• Subscription expired: Contact your provider for a valid link.
• Server temporarily unavailable: Wait and try again later.
• Invalid URL format: Ensure the link is complete (including https://). Test it directly in a browser.

Upgrade methods by platform:

• Clash Verge Rev (Windows / macOS / Linux): Use 'Check for Updates' in Settings → About, or download the latest installer from GitHub Releases.
• Clash Nyanpasu (Windows / macOS / Linux): Use 'Check for Updates' in Settings → About, or download the latest release from GitHub Releases.
• ClashX Meta (macOS): Download the latest .dmg from GitHub Releases and overwrite the existing install.
• ClashMeta for Android (Android): Download the latest .apk from GitHub Releases and install (allow unknown sources).
• FlClash (Android / Windows / macOS): Download the latest release for your platform from GitHub Releases.
• Mihomo Core: Download the latest binary from GitHub Releases and replace the existing file.

💡 We recommend keeping your client updated for security patches and new protocol support.

The Mihomo core (Clash Meta) supports mainstream industry protocols:

Transport layers supported: WebSocket, HTTP/2, gRPC, QUIC, etc.